Finance

Michael P. Regan is a Bloomberg Gadfly columnist covering equities and financial services. He has covered stocks for Bloomberg News as a columnist and editor since 2007. He previously worked for the Associated Press.

When reading about the Digital Don, Gery Shalon, and his mob of cybercriminals, who prosecutors say ran amok through the databases of some of the world's biggest financial firms, it's hard to know what to be most shocked about.

Is it the simple fact that they were able to infiltrate the systems of JPMorgan Chase, Fidelity Investments, E*Trade, Scottrade and Dow Jones? Or is it the fact that with the keys to the kingdom in hand, the financial losses weren't much greater?

Then there is the long and, frankly, impressive list of crimes they were able to dabble in over several years: pump-and-dump penny stock fraud, money laundering, illegal online gambling, credit card fraud, fake pharmaceuticals. All that's missing from the sordid tale told in the indictment is an online Bada Bing Club.

What's most shocking, however, may be the knowledge that there is not much confidence from the experts that the financial system has bolstered its defenses enough to prevent a repeat.

It's not for a lack of trying. JPMorgan, which was robbed of data related to 83 million customers, spent $250 million on cybersecurity in 2014. It expects the bill to double this year and be even higher next year. Bank of America CEO Brian Moynihan has said his computer security team has a more or less blank check.

In a modern financial system that's knit closely together through the Internet, potential suspects lurk everywhere. Here's a sampling of what JPMorgan is up against, according to the bank's third-quarter filing with the SEC:

Third parties with which the Firm does business or that facilitate the Firm’s business activities (e.g., vendors, exchanges, clearing houses, central depositories, and financial intermediaries) could also be sources of cybersecurity risk to the Firm, including with respect to breakdowns or failures of their systems, misconduct by the employees of such parties, or cyberattacks which could affect their ability to deliver a product or service to the Firm or result in lost or compromised information of the Firm or its clients. In addition, customers with which or whom the Firm does business can also be sources of cybersecurity risk to the Firm, particularly when their activities and systems are beyond the Firm’s own security and control systems.

 JPMorgan is not the only one with a healthy case of paranoia.

In a survey of clients earlier this year by the Depository Trust & Clearing Corp., cyberthreats were identified as the top risk by a longshot -- greater than geopolitical risk, new regulations, a U.S. economic slowdown or Federal Reserve monetary policy.  

Anxiety Lies Online
Client survey by Depository Trust & Clearing Corp. identified cybersecurity as top risk.
Source: DTCC
% of respondents placing selected topics in the top five of systemic risks to broader economy in 1Q.

What's also startling is how organized and sophisticated Shalon's group is portrayed in the indictment: more than 100 people involved in a dozen countries, taking in hundreds of millions of dollars. And that is just one group.

This is a big problem that has been brewing for years, with little being done to address it by the regulators who are responsible for protecting the customers who have to deal with the consequences of stolen data. When it comes to this issue the nation, in essence, may be like the proverbial frog boiling in a pot of water. (Side note: Whether or not a frog will really sit still while the water temperature gets hotter and hotter is open for debate, but as a metaphor this one is water tight.)     

Uncle Sam's Cyber Spending
A growth industry
Source: Bloomberg Government
Major sources of federal cybersecurity spending. Does not include classified budget. Figures for 2015 are budget requests.

The government seems to have fallen down on the job when it comes to protecting corporate America in general and financial firms in particular, putting the onus on the companies themselves to secure their customers' data. If a shoplifter targets a store, it's reasonable to expect the store's security guard to handle things. But is it reasonable for the same guard to handle an organized, multinational ring of sophisticated criminals?

One attempted remedy is to encourage corporate victims of cybercrime to share information with the government about the threats they encounter. That's the whole point of the Cybersecurity Information Sharing Act, which privacy advocates and companies have criticized again and again and again.

It's fine and good for the righteous idealist set to worry about privacy. But when corporate data breaches regularly result in criminals obtaining the personal information of tens of millions of customers at a time, it makes you wonder what privacy is left to worry about.

Instead, the government needs to formulate a more aggressive plan to keep cybercriminals out of corporate databases. The Cybersecurity Information Sharing Act is way too little, way too late -- like offering a cold drink to a frog in pot of boiling water.   

Policy makers and the general population have famously been known to "fight the last war" rather than prepare properly for the next one.

That notion springs to mind after hearing Republican candidates debate on Tuesday night about what to do in the event that a too-big-to-fail bank needs to be bailed out. Never mind that proposed capital rules require banks to maintain a total loss-absorbing capacity of 18 percent by the end of 2021, diminishing the odds that we ever have to fight that war again.

No, the next great threat is less likely to be the enemy within. It's more likely to be the one we can't see, with an Internet connection and criminal imagination. We need to be more fully prepared for that one. 
 

This column does not necessarily reflect the opinion of Bloomberg LP and its owners.

To contact the author of this story:
Michael P. Regan in New York at mregan12@bloomberg.net

To contact the editor responsible for this story:
Daniel Niemi at dniemi1@bloomberg.net